What Is My IP Address? Public & Local IP Finder

4.3 Billion Addresses for 8 Billion People: The IPv4 Crisis That Broke Networking

In 1981, RFC 791 defined the Internet Protocol version 4 with a 32-bit address space — 2³², or exactly 4,294,967,296 unique addresses. The engineers who wrote the spec knew this might eventually be a problem. They did not expect the internet to grow to 8 billion people with multiple devices each.

ARIN (the American Registry for Internet Numbers) exhausted its free IPv4 pool in 2015. RIPE NCC (Europe/Middle East) in 2019. LACNIC (Latin America) in 2020. As of early 2026, the entire available RIR pool has fewer than 4.6 million addresses remaining (APNIC Labs, January 2026). IANA — the body that allocates to RIRs — holds just 768 addresses in reserve (3 /24 prefixes).

The engineering responses to this crisis are responsible for everything confusing about IP addresses today: why your home device shows 192.168.1.x while websites see a completely different address, why multiple households on a street may share the same public IP, why your VPN changes what websites think your location is, and why “what is my IP” returns a different answer depending on how and where you ask.

Understanding these mechanics is not just academic — it affects API rate limiting, geolocation-based features, WebRTC peer connections, security logging, and abuse detection in every application you build.

Public vs. Local IP: Why You Have Two (or More)

When you ask “what is my IP address?”, the answer depends on the question you're actually asking.

Your Local (Private) IP Address

Your router assigns local IP addresses to every device on your network using DHCP. These come from the three private ranges defined in RFC 1918 (published 1996):

Private IPs are not routable on the public internet. A packet from 192.168.1.100 sent to an external server would be dropped at the first ISP router. They exist only within your local network.

There is also 169.254.0.0/16 — link-local addresses (APIPA). When DHCP fails, Windows and macOS auto-assign addresses from this range. If your device shows 169.254.x.x, it means it failed to get a DHCP lease — typically a misconfiguration or network fault.

Your Public IP Address

Your public IP is assigned by your ISP from one of its allocated blocks. It is what the internet sees when you make requests. Your router translates between local and public IPs using NAT (Network Address Translation) — replacing the source IP on outbound packets and reverse-mapping incoming responses to the correct local device.

Depending on your ISP and subscription type, your public IP may be:

• •Static — fixed, does not change. Common for business plans. Necessary for hosting servers, running VPNs, SSH without dynamic DNS.
• •Dynamic — changes periodically (usually on router restart or DHCP lease expiry). Standard for consumer plans.
• •CGNAT — your “public” IP is actually a shared private address behind your ISP's NAT. More on this below.

NAT and CGNAT: Why Sharing an IP Is a Problem

Network Address Translation (NAT) was designed as a stopgap for IPv4 exhaustion. It lets an entire household share a single public IP — your router tracks outbound connections using a connection table keyed by port numbers, mapping responses back to the correct internal device.

Carrier-Grade NAT (CGNAT) adds a second NAT layer. Your household gets a “public” IP that is actually a private address in the 100.64.0.0/10 range (RFC 6598). Your ISP then NATes that to a real public IP shared with potentially thousands of other subscribers. You cannot run servers behind CGNAT without ISP assistance, cannot port-forward reliably, and your requests appear to originate from the same IP as many other users.

This last point has concrete consequences. Cloudflare's 2025 research found that CGNAT IPs are rate-limited 3× more often than regular public IPs in their systems — collateral punishment because one malicious user behind the same CGNAT IP triggers blocks that affect thousands of innocent users. African cellular networks are especially affected: two-thirds of measured ASes in Africa's mobile networks use CGNAT (APNIC Blog, 2022), as does most of Eastern Europe, South America, and South/Southeast Asia.

If your application does rate limiting by IP address — as most REST APIs do — you need to account for CGNAT. A strict per-IP rate limit may effectively block an entire ISP's mobile subscriber base if one subscriber misbehaves. Consider supplementing with per-user authenticated limits, especially for mobile-heavy user bases.

For API design decisions around rate limiting and responses, the HTTP status codes reference covers 429 Too Many Requests and the Retry-After header correctly.

IPv6: The Long-Delayed Fix

IPv6 was standardized in RFC 2460 in 1998 — two years after IETF engineers realized IPv4 would run out. Its 128-bit address space provides 3.4×10³⁸ addresses — enough for every grain of sand on Earth to have its own IP, with addresses left over.

Adoption has been slow. As of 2025, global IPv6 traffic measured by Google sits at approximately 43%. Country-level adoption is uneven:

Source: Google IPv6 Statistics (Feb 2026), Internet Society Pulse.

An IPv6 address looks like 2001:db8:85a3::8a2e:370:7334 — eight groups of four hex digits, with consecutive zero groups collapsed to ::. Unlike IPv4, every device gets a globally unique IPv6 address — NAT is architecturally unnecessary. This is both the security upside (proper end-to-end connectivity) and the concern (every device is directly reachable, requiring proper firewall configuration).

For applications, the practical implication is that you will increasingly receive IPv6 client addresses in server logs and APIs. Code that assumes IP addresses are 15 characters or less is broken — IPv6 addresses can be up to 39 characters. The X-Forwarded-For header may contain a mix of IPv4 and IPv6 addresses depending on the proxy chain.

IP Geolocation: What It Can and Cannot Tell You

Every “what is my IP” tool includes geolocation data. Understanding its accuracy limits prevents building applications that rely on it for precision they cannot achieve.

MaxMind is the dominant IP geolocation database, powering most commercial IP lookup services. Their published accuracy figures (MaxMind official documentation):

Accuracy degrades significantly for cellular IPs and CGNAT addresses. A mobile user in Chicago may geolocate to Dallas if their carrier routes traffic through a Texas gateway. IPv6 addresses have even less consistent database coverage as the allocations are newer.

Practical consequences: do not use IP geolocation to restrict access to services requiring legal compliance with geographic regulations — it will both over-block and under-block. Do not use it to determine tax jurisdiction or payment region. It is appropriate for UX defaults (pre-selecting a user's country in a form), approximate content localization, and fraud signal enrichment where it is one of many signals.

IP Lookup APIs: Free Tier Comparison

For programmatic IP lookups, here is an honest comparison of the main free-tier options:

Finding Your Public IP Programmatically

// Node.js: get public IP
const res = await fetch('https://icanhazip.com')
const publicIp = (await res.text()).trim()

// Node.js: get local IPs
import { networkInterfaces } from 'os'

function getLocalIPs(): string[] {
  const nets = networkInterfaces()
  const results: string[] = []

  for (const iface of Object.values(nets)) {
    if (!iface) continue
    for (const net of iface) {
      // Skip loopback (127.x) and APIPA (169.254.x)
      if (!net.internal && net.family === 'IPv4') {
        results.push(net.address)
      }
    }
  }
  return results
}

# Python: get public IP
import urllib.request
public_ip = urllib.request.urlopen('https://icanhazip.com').read().decode().strip()

# Python: get local IP (connects to external address, reads socket)
import socket
with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as s:
    s.connect(('8.8.8.8', 80))  # doesn't actually send data
    local_ip = s.getsockname()[0]

# curl: fastest one-liners
curl -4 https://icanhazip.com    # public IPv4
curl -6 https://icanhazip.com    # public IPv6 (if available)
curl https://ipinfo.io/json      # full JSON with geolocation

Parsing X-Forwarded-For in Production

In server applications behind a load balancer or reverse proxy, the client IP is in the X-Forwarded-For header, not the socket's remote address. The header is a comma-separated list where the leftmost IP is the original client:

X-Forwarded-For: 203.0.113.5, 10.0.0.1, 172.16.0.50
#                ^-- real client  ^-- internal proxies

Never trust the leftmost IP blindly — it can be spoofed by a client sending a fake X-Forwarded-For header before your proxy chain adds to it. The safe approach: trust only the Nth-from-right IP, where N is the number of known trusted proxies in your infrastructure. Many frameworks (Express.js trust proxy, FastAPI ProxyHeadersMiddleware) handle this with proper configuration.

This connects to how DNS resolution works downstream — see the DNS records guide for how A/AAAA records map hostnames to these IP addresses.

WebRTC IP Leaks: When Your VPN Is Not Protecting You

WebRTC (Web Real-Time Communication) is a browser API for peer-to-peer audio, video, and data channels. To establish a direct connection, it uses the ICE (Interactive Connectivity Establishment) protocol, which discovers all of a device's IP addresses — including local network IPs and the public IP visible to STUN servers.

The problem: browsers execute WebRTC discovery at the OS network level, bypassing the VPN tunnel. This means that even with a VPN active, a malicious web page can recover your real IP using a few lines of JavaScript:

// How WebRTC IP discovery works (simplified)
const pc = new RTCPeerConnection({ iceServers: [{ urls: 'stun:stun.l.google.com:19302' }] })
pc.createDataChannel('')
pc.createOffer().then(offer => pc.setLocalDescription(offer))
pc.onicecandidate = (event) => {
  if (event.candidate) {
    // event.candidate.candidate contains the IP address
    console.log(event.candidate.candidate)
  }
}

Research by Security.org found that 23% of VPNs leak real IPs via WebRTC. The VPN encrypts traffic but the WebRTC STUN exchange happens before the tunnel processes the request.

Mitigation

• •Firefox: Set media.peerconnection.enabled to false in about:config. Disables WebRTC entirely — breaks video calls.
• •Chrome: Google's official WebRTC Network Limiter extension restricts IP exposure without breaking WebRTC.
• •VPN clients: Choose a provider that advertises WebRTC leak protection — it routes WebRTC STUN requests through the tunnel.
• •For developers building privacy tools: Set iceTransportPolicy: 'relay' in RTCPeerConnection config to force all traffic through TURN servers, preventing local IP disclosure.

Beyond WebRTC, VPN vulnerabilities have been growing: Zscaler ThreatLabz's 2025 VPN Risk Report found that VPN CVEs grew 82.5% over the tracked period, with ~60% rated high or critical CVSS. 92% of surveyed organizations are concerned VPN vulnerabilities will lead to ransomware attacks.

IPv4 Address Market: The $35–55/IP Secondary Market

IPv4 exhaustion created a multi-billion dollar secondary market. Addresses that were allocated for free to universities and early adopters now trade at market rates. Since 2012, 309 million IPv4 addresses have changed hands in transfer markets — approximately 18.4 /8 blocks, or 8% of the total delegated address space (APNIC Blog, 2024).

2024–2025 market prices (IPv4 Global, CircleID, Voldeta):

• •Purchase: /24 blocks (256 IPs) trading at $33–$45/IP. Larger /16 blocks (65,536 IPs) saw a sharp drop from ~$50/IP in 2023 to ~$24/IP mid-2025 as large institutional sellers entered the market.
• •Leasing: $0.40–$0.50/IP/month on platforms like IPXO, with APNIC-region IPs commanding >$0.60/IP/month due to tighter regional supply.

This market is why cloud providers charge for public IPs. AWS charges $0.005/hour per public IPv4 (roughly $3.60/month) for all EC2 instances as of 2024, explicitly citing IPv4 scarcity costs. Azure and GCP have similar pricing.

Frequently Asked Questions